CVE-2026-4558

CVE-2026-4558 is an OS command injection vulnerability in the smartConnectConfigure function within the SmartConnect.lua file of the Linksys MR9600 router running firmware version 2.0.6.206937. The flaw arises from improper handling of the arguments configApSsid, configApPassphrase, srpLogin, and srpPassword, allowing malicious input to execute arbitrary operating system commands. It is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation.

Attackers with low privileges (PR:L), such as authenticated users on the device, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling full system compromise such as executing arbitrary commands, potentially leading to router takeover, data theft, or further network pivoting.

Advisories from VulDB (ctiid.352385, id.352385, submit.775036) and a GitHub issue (utmost3/cve/issues/1) detail the vulnerability and confirm that a public exploit is available for use. The vendor, Linksys, was notified early but has not responded or issued any patches, leaving affected devices unmitigated as per available references.

Notable context includes the published exploit, which increases the risk of real-world attacks against unpatched Linksys MR9600 routers on this firmware version. No evidence of widespread exploitation in the wild is reported in the provided data.